Cannot Use VPN Client to Establish IPSec Tunnel Outside Network

Posted on 2007-11-19
Last Modified: 2010-04-09
Hello Experts -
It's me again.  I got my PIX setup thanks to you but now I can't use the VPN client to connect to a client outside my network.  I have isakmp nat-traversal 20 setup but it's not allowing the VPN traffic.  What do I need to do?  Here's my config...

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Fd2kjuwTlagiu7qU encrypted
passwd Fd2kjuwTlagiu7qU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list Remote_Users_splitTunnelAcl permit ip
access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote_DHCP
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote_Users address-pool Remote_DHCP
vpngroup Remote_Users dns-server
vpngroup Remote_Users split-tunnel Remote_Users_splitTunnelAcl
vpngroup Remote_Users idle-time 1800
vpngroup Remote_Users password ********
telnet timeout 5
ssh inside
ssh timeout 60
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username username password 9k0WvCzRDylvQEpn encrypted privilege 15
terminal width 80

Thanks for everything.
Question by:chezbrgrs
  • 6
  • 5
  • 3
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20318941
 Hi chezbrgrs
   You need this
   fixup protocol pptp 1723
   If you upgrade the IOS to 7.0, it will be used as inspections

LVL 28

Expert Comment

ID: 20320210
Are you trying to use IPSEC or PPTP, as MrHusy alludes to?

Author Comment

ID: 20320251
I'm using UDP/IPSEC.  I thought enabling isakmp nat-traversal would take care of all port issues
LVL 28

Expert Comment

ID: 20320341
What type of VPN device are you trying to connect to on the outside?  Does it support using IPSEC over TCP?  I've seen some environments where UDP doesn't work but TCP does.  I've also seen the reverse.  If the other end supports TCP, try that and see what you get.

Author Comment

ID: 20320414
It's a PIX 515.  It works fine when I'm not behind my own PIX.
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20333030
did fixup work? if didnt try this
access-list outside_access_in permit gre any any
access-group outside_access_in in interface outside

Author Comment

ID: 20334154
Is that fixup for IPSEC tunnels as well?  I thought batry_boy implied it was only for PPTP.
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

LVL 28

Expert Comment

ID: 20334381
The fixup is only for PPTP tunnels being initiated from inside the PIX outbound to an external PPTP server.  MrHusy's suggestion of allowing inbound GRE traffic is to allow PPTP traffic initiated externally to come inbound.

Author Comment

ID: 20335350
After looking around on the web, does the isakmp traversal need to be setup on the endpoint VPN.  It's setup on mine but I'm not sure about the other one.
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20335385
"MrHusy's suggestion of allowing inbound GRE traffic is to allow PPTP traffic initiated externally to come inbound."

yep batry you re correct, I misunderstood, ignore it.
LVL 28

Accepted Solution

batry_boy earned 500 total points
ID: 20337218
>>After looking around on the web, does the isakmp traversal need to be setup on the endpoint VPN.  It's setup on mine but I'm not sure about the other one.

Yes, it needs to be set up on the firewall that you're connecting to.  Since you're behind a NAT device (your PIX)when you make the VPN connection, this command will be necessary for you to see traffic behind the remote PIX.  However, it typically allows you to connect, but not see any hosts.  You're reporting that you can't even connect so this sounds a little different.

Have you tried connecting from a different site other than from behind your PIX?  This may isolate the problem further by telling you if it's something to do with your PIX or not.  I'm thinking you need to start looking at the remote PIX configuration.

Author Comment

ID: 20339092
I took a look at the remote PIX configuartion.  It's running 6.1 and isakmp nat-traversal was not introduced until 6.3.  I can't upgrade it now so do I have any alternatives to using nat-traversal?

Author Comment

ID: 20340237
Thanks batry_boy.  I upgraded to 6.3(5) and issued the isakmp nat-traversal command.  It's now working...thanks for your persistance.

LVL 28

Expert Comment

ID: 20345695
Good deal...glad to help.

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now